On our last call we discussed two potential concerns with the XML
Security requirements document(s):
1. Matching the requirements to action taken in the specifications
2. Dealing with changes going forward, with stability of the
requirements in light of design discussions.
I have taken another look at the requirements and think we can
simplify our work going forward, as well as the understanding by those
who look at XML Security WG deliverables if we do the following
1. Have two sets requirements documents, one associated with 1.1 and
one with 2.0. This should make it much easier to correlate
requirements with changes.
2. Eliminate material from the requirements that is so generic to
apply to all XML Signature cases, from 1.0 to 2nd edition to 1.1 and
2.0. In other words retain only that which we can act upon in our new
work.
3. Add material as necessary to reflect additional use cases and
discussions since original drafts were written.
With this in mind I propose the following changes
Part A
XML Security Use Cases and Requirements
http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html
1. Change the title to "XML Security 1.1 Requirements and Design
Considerations"
2. Update SOTD to reflect that a WD has already been published
3. In 1, Introduction, remove ", and XML Signature 2.0 and/or other
specifications".
Remove "It is a work in progress."
4. Revise section 3 heading and introductory paragraph. Change to:
"Requirements and Design Options"
"This section outlines the motivation, requirements and design
considerations for XML Security 1.1,"
(the text and bullet list before 3.1 in section 3 is removed and
replaced with the above.)
5. Remove section "3.1 - Long term signatures" as this has had no
impact on either the 1.1 or 2.0 specifications.
6. Add new section, "Widget Security" with the following content:
Use Cases
Widgets may require signing for integrity protection and source
authentication. This signing of a Widget package may be provided
using XML Signature.
Requirements
Provide the ability to sign and verify a widget package using XML
Signature. Enable the use of SHA-256 to support sufficient security.
Support the use of properties in a XML Signature, including Profile,
Role, and Identifier properties to enable interoperable
interpretation of signatures. See the Widget Signature specification
for a summary of requirements [WidSig].
(add reference to document, http://dev.w3.org/2006/waf/widgets-digsig/)
Design
Define generic widget properties. See XML Signature Properties
[SigProp].
(add reference to document, http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html)
7. Move "3.2 - Web Services Security" to a new Requirements 2.0
document, discussed below
8. Fix long line in example in 3.3.5.1, Create a ds:DerivedKey Type
9. Remove section "3.4 Transforms" as it is only applicable to 2.0,
new Requirements 2.0 document.
10. References - remove BradHill, EXI, Gajek, Infoset, McIntoshAustel,
Thompson, TransformSimplification, WSI-BSP10, WS-SecureConversation13,
WS-SecurityPolicy12, WS-Trust13, WSS, WSS-Username11, XAdES, XSD
references. Those relevant to 2.0 will be included in 2.0 requirements
document.
11. Remove change log.
Part B
XML Signature Transform Simplification: Requirements and Design
http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html
12. Change title to "XML Security 2.0 Requirements and Design Options"
13. Update SOTD to reflect requirements and design options for 2.0
14. Copy principles section from 1.1 requirements document into new
principles section.
15. Update Introduction to state this is requirements and design
options for 2.0, including Canonicalization and Signature.
16. Move 1.1- "Note on Namespaces" into "section 4.1, overview of new
syntax"
17. At end of section 2 incorporate "3.2 Web Services Security " from
original Requirements document.
18 Update references, including references needed for Web Services
Security, and reference Requirements 1.1
Comments?
This should complete ACTION-414.
regards, Frederick
Frederick Hirsch
Nokia
On Oct 16, 2009, at 8:01 AM, Hirsch Frederick (Nokia-CIC/Boston) wrote:
> I propose we make the following changes to the XML Security
> requirements document [1]:
>
> 1. Merge the Transform Simplification document [2] into the main use
> cases and requirements document. Update the simplification document to
> indicate that it has been merged into the use cases and requirements
> document. Merge abstract, references and acknowledgements sections.
>
> I think this makes sense since it is logically part of the
> requirements document, this will reduce confusion and the number of
> documents.
>
> 2. Change the section title from "Transforms" to "Simplify processing
> model, reduce attack surface, and enable streaming".
>
> 2. Move the namespaces note in the transform note into the design
> section of that use case.
>
> 3. Change the title of the requirements document to "XML Security
> Requirements and Design"
>
> 4. Revise section 3 heading and introductory paragraph. Change to:
>
> "Requirements and Design Options"
>
> "This section outlines the motivation, requirements and design
> considerations for use cases and core aspects of XML Security
> specifications,"
>
> (the text and bullet list before 3.1 in section 3 is removed and
> replaced with the above.)
>
> The reason is that some of the cases are general considerations like
> security, while others are specific applications like web services
> security. Not all bullets in the original list have been covered.
>
> 5 Add a section, "Widget Security" with the following content:
>
> Use Cases
>
> Widgets may require signing for integrity protection and source
> authentication. This signing of a Widget package may be provided using
> XML Signature.
>
> Requirements
> Provide the ability to sign and verify a widget package using XML
> Signature. Enable the use of SHA-256 to support sufficient security.
> Support the use of properties in a XML Signature, including Profile,
> Role, and Identifier properties to enable interoperable interpretation
> of signatures. See the Widget Signature specification for a summary of
> requirements [3].
>
> Design
> Define generic widget properties. See XML Signature Properties [4].
> (add reference to document)
>
> 6. Fix long line in example in 3.3.5.1, Create a ds:DerivedKey Type
>
> Please indicate any concern with these changes to the list - I'd like
> to agree on them on 20 Oct call so that we can have an updated draft
> for the F2F. At TPAC the WG can agree to an updated publication of
> these documents.
>
> what do you think?
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
> [1] http://www.w3.org/2008/xmlsec/Drafts/xmlsec-reqs/Overview.html
>
> [2] http://www.w3.org/2008/xmlsec/Drafts/transform-note/Overview.html
>
> [3] http://dev.w3.org/2006/waf/widgets-digsig/
>
> [4] http://www.w3.org/2008/xmlsec/Drafts/xmldsig-properties/Overview.html
>
>